From 82ff1acf035d277dd2e7b9d7fc6e060ab2415144 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 26 Apr 2017 12:36:10 +0300 Subject: Internal TLS: Use specific CA file for haproxy Instead of using the CA bundle, this sets HAProxy to use a specific file for validating the certificates of the services it's proxying. This helps in two ways: * Improves performance since validation will check only one certificate. * Improves security since we're only the certificates signed by one CA are valid, instead of any certificate that the system trusts (which could include potentially compromised public certs). Change-Id: Id6de045b3c93c82d37e0b0657c17a3108516016a --- puppet/services/haproxy.yaml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'puppet') diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index c651bbe5..e32b44dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -37,6 +37,11 @@ parameters: MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. resources: @@ -71,6 +76,7 @@ outputs: tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] -- cgit 1.2.3-korg